Logstash multiline source validation

Hello,

I am in the process of building ELK infrastructure for my systems.
I have several filebeats and so far one logstash.
I have several Java servers and apache servers.

As we all know, we have something like stacktrace on Java servers :smiley:

Ultimately, my colleague wants to assemble resources and make one filebeat.

And now my dilemma :slight_smile:

Is there a possibility that if some stackctace is sent, then some other log may interrupt multitiline.

E.g. Stacktrace goes and has 100 lines. In the meantime, apache or another Java server sends a different log. Is this a problem that multiline may have a problem with?

Does the multiline module verify the source?

If there is a problem here, is there a solution?

It would be best if the whole solution was based on the logstash itself.

THX,
Maciej

Yes, this is exactly why the documentation says to do multiline processing in filebeat, and not in a multiline codec on a beats input.

Ok. It makes sense :slight_smile:

In that case we are moving multiline to filebeat.

Let's assume that this filebeat will have eg 5 Java servers connected. Will filebeat know what to assign? Do I parse files "separately"? Will I have to install filebeat per Java server?

THX,
Maciej